More Customization Options

In addition to the command-line parameters, a configuration (profile) file also controls the test process. By default, Lynis orients its actions on the specifications from the default.prf file supplied with the package. This file will probably be fine for most scenarios. You will typically only need to modify the file if you are using Lynis Enterprise. The structure and settings of the profile are explained in the comments it contains. You can tell Lynis to use your own profile from the myprofile.prf file by passing in the parameter --profile myprofile.prf.

You can add a number of tests to Lynis as plugins. A plugin is simply a normal shell script that begins with a couple of special comments containing details about its purpose. The script uses the functions provided by Lynis and resides in the plugins subdirectory. One example of a small plugin is the plugins/custom_plugin.template file. For Lynis to integrate and use the plugin, you need to register it in the profile. To do so, add a line stating plugin=myplugin for a plugin by the name of myplugin.

Conclusions

Lynis helps administrators identify vulnerabilities and problematic configurations. The tool is only capable of discovering problems that it is familiar with, of course. In particular, any homegrown scripts or other self-programmed software will be ignored. Additionally, Lynis only provides tips; it is up to the administrator to interpret the test results. Lynis is thus only one building block in your overall security system.